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REDUNDANT ACTUATOR DEVELOPMENT STUDY 


By D* R. Ryder 


1,0 SUMMARY 

This report is submitted in compliance with contract 
NAS2-7653. Multiple redundant actuators applicable 
to advanced supersonic transport flight control sys- 
tems have been studied. The study included the reviev 
of recent developments in redundant control systems 
and control requirements of supersonic transport con- 
figurations. Secondary actuators used in stability 
augmentation systems were found to require the highest 
level of redundancy. Two methods of actuator redundancy 
mechanization representative of those that will most 
likely be used in future airplanes have been recommended 
for further study. Actuator math models of the two 
methods of actuator redundancy have been developed 
that will allow investigation of wide range of actua- 
tor failures, mechanization of failure detection and 
channel equalization methods, and adjustment of actu- 
ator parameters to match the requirements of various 
advanced airplanes. A long range plan has been form- 
ulated that will lead to actuator hardware development 
and testing in conjunction with the NASA Ames Flight 
Simulator for Advanced Aircraft (FSAA) to allow 
investigation of pilot and control system interaction. 
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2.0 


INTRODUCTION 


Any advanced supersonic transport airplane will have to he 
economically competitive with large subsonic airplanes. 
Economic supersonic flight will require taking advantage 
of all possible gains in aerodynamic efficiency and reduc- 
tions in airplane weight. It will probably require using 
configurations that are unstable in the pitch axis. For 
these configurations to be safe and have acceptable handling 
qualities, the airplane stability must be augmented through 
the control system. Since the stability of the airplane 
then becomes flight critical, the control system reliability 
must approach that of the basic airframe. 

Fault corrective capability that will meet the system 
reliability requirements and also satisfy the FAA regula- 
tions dictate flight control system configurations that 
can survive two failures and still remain operational. 

The performance level after failure may degrade to less 
than normal but must remain adequate to complete the mis- 
sion, Safe operation after failure may require a restricted 
flight envelope. 

Use of rediindancy to achieve reliability has always been an 
accepted engineering design technique. However, the advan- 
tages of redimdancy are not easily realized in control 
systems because of signal channel interaction, failure 
effects, performance degradation after failures, null shift 
with channel changes, and failure detection problems. If 
force summed multiple actuators are used to drive a single 
load, actuator load sharing becomes a concern. Methods of 
insuring proper load sharing can reduce load reaction stiff- 
ness, cause poor resolution, and may lead to dynamic 
instability if not properly designed and built. Monitoring 
used to effect the orderly shutdown of failure elements may 
cause inadvertent shutdown of good elements. All of these 
problem areas with respect to redundant actxxators show a 
need for further study of actuator redtindancy. The inter- 
action of pilots and airplanes with redundant control 
system designs is important because of performance changes 
and control transients that occur with failure or actuator 
shutdown. The NASA Ames Flight Simulator for Advanced 
Aircraft (FSAA) is well suited to investigation of 
advanced control systems. 
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This report covers the initial portion of a study that vill 
culminate in control system hardware (or mini-rig) con- 
nected to the FSAA. This initial portion of the study 
Includes the selection of redundant actuator concepts that 
are representative of those that will most likely be used 
in advanced flight control systems, the development of 
math models of those systems, and formulation of a plan 
for the next phase of the study program. 



3.0 


STUDY TASKS 


This study has been divided into four tasks. A report on 
the work performed in completion of the tasks is covered 
in this section, 

^.1 TASK 1 - REVIEW OF REDUWDAJJ T ACTUATION DEVELOPMENT FOR SST 

APPLICATION 

3 . 1.1 Airplane Configuration and Control Redundancy Requirements 

The starting point for this study was to review current and 
past supersonic transport configurations as well as non SST 
work to survey the various redundancy mechanization schemes 
used in both surface power actuators and secondary actuators. 
Secondary actuators are defined as small, actuators used in 
^ fly ^'by— wire ^ autopilot , or stability augmentation control 
systems as a stage of amplification and a method of con- 
verting an electrical signal into a mechanical displacement. 

Examination of these configurations and their control 
requirements has led to two conclusions: 

o The minimum redundancy requirements for surface povrer 
actuators are basically the same for flight control 
surfaces on all advanced supersonic transport 
configuration s . 

o The most stringent redundancy requirements will be set 
by stability augmentation systems used on unstable 
airplane configurations. 

The discussion that follows develops the reasoning behind 
these conclusions. 


Economic supersonic flight will require the lightest possible 
airplane. The need to minimize airplane weight reduces the 
permissible use of mass balance of control surfaces about 
the hinge line as a means of preventing control surface 
flutter. If mass balance is not used^ the surface must be 
restrained by the surface power control actuators , 

The Federal Aviation Regulations, Volume III, Part 25, 
paragraph 25.629, "Flutter, deformation, and fail-safe 
criteria,” requires that an airplane be free from flutter 
after any single failure in the flight control system, 
plus any other "reasonably probable” single failure or mal- 
function affecting flutter. Hydraulic system failures are 
classified as "reasonably probable" by the FAA. Therefore, 
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vhen airplane design dictates that control surfaces be 
restrained by the flight control system to avoid the mass bal- 
ance weight penalty, these requirements dictate a need for at 
least two surface power actuators and three hydraulic systems 
for each surface. As an example, the Concorde utilizes two 
surface power actuators per surface, each with a separate 
hydraulic supply, plus a third standby hydraulic system which 
can be switched to supply either actuator. This is an accept- 
able system only if a failiire analysis shows that a single 
failure such as a leak in one actuator which could deplete a 
normal system and the standby system in combination with 
another hydraulic system failure is extremely remote. 

Independent of considerations for suppression of surface 
flutter, surface power actuator redundancy is also influenced 
by the need to maintain control of the airplane flight path. 
The Federal Aviation Regulations, Volume III, Part 25, 
paragraph 25.671, requires, in part, that the airplane must 
be capable of safe flight and landing after any single failure 
excluding jamming, in combination with any probable hydraulic 
system failure. 

One form of redundancy to assure continuance of control 
function would be to use multiple aerodynamic surface seg- 
ments, independently controlled, in each airplane axis. If 
actuator redundancy were not required for prevention of flut- 
ter, each surface could be controlled by a single actuator. 
Degraded, but safe, operation could be possible if one or 
more surface segments became inoperable. 

There seems little doubt that the need for maximum aerodynamic 
efficiency and minimum weight in an advanced supersonic trans- 
port would prohibit consideration of either a multiplicity of 
aerodynamic control surfaces for control system redundancy 
or use of mass balance for flutter prevention. These two 
factors are sufficient to set the minimum redundancy level 
for surface power actuators. The most efficient and safe mech 
anization will be three surface power actuators per surface, 
each supplied by separate and Independent hydraulic systems. 

It has been shown in previous studies by Boeing and others 
that gains in aerodynamic efficiency and reduction in air- 
plane weight can be achieved by placing the operating center 
of gravity aft of the longitudinal maneuver point, 

(References 2 and 3). The resulting unstable airplane must 
be augmented through the flight control system to provide 
acceptable handling qualities* If the stability of the air- 
plane is critical such that loss of the augmentation means 
loss of the airplane, the control system reliability must 
approach that of the basic airplane. To achieve this level 



of reliability, special considerations must go into the^ 
design* Such considerations include design simplification, 
derating of components , elimination of electrical connectors , 
and physical isolation of electrical wiring and hydraulic 
power* Even with these considerations redundancy is usually 
req^uired to get satisfactory reliability from complex 
electronic control systems and actuators. 

It is believed that for any future advanced supersonic 
transport, airplane requirements will dictate reliance on 
flight critical systems requiring a minimum of four augmen- 
tation channels or three channels appropriately monitored. 
This level of redundancy is the minimum required to insxire 
continued safe control of the airplane after two failures. 


3,1,2 Secondary Actuator Redundancy 

The power levels associated with the electronic stability 
augmentation system must be kept at low levels as a matter 
of good design. These low level commands are required to 
command surface actuators that operate at high power levels. 
Converting the low level electrical commands to surface dis- 
placements controlled by hydraulic power requires several 
stages of amplification. 

Review of current redundant actuation systems shows an 
almost universal use of secondary actuators as one of the 
stages of amplification. Using secondary actuators provides 
a convenient method of reducing four channels of augmentation 
signals to the command required for the two or three surface 
power actuators. Secondary actuators provide a single valued 
mechanical input which allows utilization of simple reliable 
mechanical surface actuators. 

The most prevalent methods of forming a single valued 
mechanical signal at the secondary actuator output are 
force summation, displacement summation, and active /standby 
operation. These mechanization methods are illustrated in 
figure 1, Rate summing of signals is another method of 
secondary actuator mechanization being used, 

3.1*3 Survey of Current Actuator Hedtindancy Mechanization 

The survey of current redundant actuation systems resulted 
in examination of ten flight control systems listed below. 
With the exception of the commercial airplane systems (7^T * 
L-1011 and Concorde), all meet the operation capability 
required for an advanced supersonic transport. 
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Control Systems Examined 


1. « Boeing SST Horizontal Statllizer Actuation System 

2. Space Shuttle HHM-A Secondary Actuator 

3. Space Shuttle HRM-C Secondary Actuator 
U, NASA F8-C Fly-Tsy-Wire Secondary Actuator 
5* General Electric 680J Secondary Actuator 
6, MRCA Secondary Actuator 

T. Boeing 7^7 Elevator Control System 

8, Lockheed L-1011 Longitudinal Control 

9. Concorde Eleven Control 

10. LTV 680J Electromechanical Secondary Actuator 

Comparison Factors 

This section contains a discussion of the important factors 
used hy the investigator to evaluate the systems. This dis- 
cussion is placed before the description of each system to 
aid the reader in identifying system differences. Description 
of the LTV electromechanical secondary actuator is not in- 
cluded. Boeing SST studies indicated that this type of system 
would have difficulty meeting FAA requirements for flight 
critical systems, 

1. Load Sharing 

Load sharing is a measure of the ability of multiple 
actuators to work together in positioning a common 
output. Load sharing is a problem pec\iliar to force 
summed actuators since, obviously, there is no force 
fighting in an active/ standby system when only one 
system controls at a time or in a position summed 
system where forces of individual actuators are additive. 

There are several methods used in achieving load sharing. 
Ideally, it is desirable that the load be divided equally 
among redundant actuators to eliminate any force fighting. 
However, since each actuator tries to position the load 
according to the net command it senses, any differences 
in the effective commands cause force fighting to occur 
between the actuators. By net command differences are 
meant the tracking errors that arise due to tolerance 
buildup in each actuator servo loop and actuator instal- 
lation, To minimize force fighting in multiple actuators 
and assure acceptable sharing of the load, four methods 
are commonly used! 

a. Provide accurate tolerance control of the feedback 
loop of the actuator. 



A mechanical actuator is fairly easy to mechanize 
with good tolerance control because of the manu- 
facturing accuracies that can he obtained and the 
unchanging nature of the mechanical linkages. 

As an example, if a single mechanical servo valve 
vlth multiple control sections is used to control 
multiple actuators, the valve can be machined to 
tolerances which assure reasonable load sharing 
usually within 10 percent of system force capability. 

An electrically controlled actuator has elements 
such as summing amplifiers, demodulators, and feed- 
back transducers which can change characteristics 
with time, temperature and power. It is generally 
accepted that the tolerances associated with an 
electronically controlled actuator are signifi- 
cantly greater than for a mechanically controlled 
actuator. 

Provide sufficient compliance to reduce force 
fighting. 

In some applications the structural compliance 
between actuators can be designed to reduce force 
fighting. In other applications feeding back 
deflections of the actuators reaction structure 
has been sufficient to provide the desired load 
sharing. When structural feedback or compliance 
between actuators is insufficient or undesirable 
from other aspects, static pressure feedback has 
been used to provide the required compliance. 

Feeding back a signal proportional to differential 
pressure has the effect of increasing the actuator 
compliance, thereby reducing the force differences. 
This signal can be an all mechanical feedback to a 
mechanically controlled actuator or can be electri- 
cal to an electronically controlled actuator. 

However, there is a limit to the amount of compliance 
that can be achieved without reducing the overall 
stiffness below a minimum allowable level. This 
method has been used successfully where the inputs 
are reasonably matched, such as a set of surface 
power actuators signalled by a common mechanical 
command or in secondary actuators where the output 
load is small. 



c. Equalization to average load. 

For cases where the actuators are required to 
operate into large aerodynamic loads and have 
uncontrolled input mismatch the pressure feedback 
system requires modification to be useful. The 
individual actuator feedback must be compared to 
the average load. Computation of the average load 
and the individual difference from averaging 
require cross channel comparison. This method 
does not degrade actuator stiffness. 

Input Mismatch 

Although mismatched inputs to a multiple actuator 
system create a load sharing problem, methods of elim- 
inating or minimizing mismatch require separate 
discussion. Differences in commands (input mismatch) 
that can build up due to tolerances in an electrical 
control system from sensor to actuator can be quite 
high, as much as a quarter of full scale command, 
unless some design action is taken to prevent such 
buildup. It should be noted that difference in com- 
mands generated by actuator loop tolerances are an 
order of magnitude less than those generated by 
computational elements in the upstream portions of 
the system. 

It is advantageous to treat the computation errors and 
actuation errors independently by inserting a synchron- 
izing stage between the two functions. The 
synchronizing stage provides a single valued command 
and may be an electronic voter or a mechanical output 
of a secondary actuator arrangement. Some of the 
advantages of synchronizing are: 

o If the surface power actuators can be isolated 
from the upstream command dlfferoKces, the task 
of providing adequate load becomes easier, per- 
mitting a simpler and more reliable mechanization 
of the power stage. 

o A secondary actuator that provides a synchronizing 
stage can operate at relatively low .force levels. 

If properly designed, it can provide the high levels 
of confidence, freedom from catastrophic failures, 
and immunity from outside interference. 



Although a secondary actuator arrangement can provide 
a single valued command to a set of surface power 
actuators, the prohlem of input mismatch is not elim- 
inated hut transferred to the secondary actuator. 

However, the magnitude of the problem is less severe 
because the secondary actuators operate at significantly 
lover force levels. The methods of secondary actuator 
mechanization to deal with the mismatch probl^ are 
itemized below. 

o Force Voting 

By force voting several actuators on a common output 
an output representing the mid value of all commands 
can be achieved. Feedback can be used to increase 
input mismatch allowables. In some applications the 
only possible way of controlling command differences 
may be the use of electronic signal conditioning 
to provide less of an input mismatch. 

o Active/Standby 

Usually the active actuator is commanded by a single 
electronic channel and mismatch is of no concern 
during operation. Mismatches between the commands 
of the active and the standby channel are of concern, 
however, and must be minimized to avoid large sur- 
face transients upon switching from active to standby 
actuators. 

o Position Summing 

Position summing secondary actuators differently 
results in a single output which is the average of 
the input commands . 

o Rate Summing 

Rate summing secondary actuators allow the 
individual channels to cancel command differences 
by differentially summing rates. 

Failure Insensitivity 

Failure insensitivity is the ability of the redundant 
system to accept a failure and automatically continue 
operation with a minimum surface transient. If the 
system performs a critical function, operation must 
be maintained in the presence of a failure; i.e., be 
fail operational. However, a fail— operational system 
does not insure minimum surface transients. The 



criticality of transients has an impact on the detail 

design of the system. Several means of providing fail 

operational capability are discussed below. 

a. Fail-operational capability can be achieved by 
majority voting three or more active actuators. 

With three active channels, operation continues 
after the first failure. With four channels, 
operation continues after two failures, if the 
first failed channel is disconnected before the 
second channel fails. 

Majority voting can be mechanized either by force 
voting or by displacement sximming. In the force 
voted system the failed channel is automatically 
overpowered by the remaining channels and the 
magnitude of the surface transient can be insigni- 
ficant. Displacement summing provides an average 
output but has an inherent surface transient and 
a steady state null offset. The magnitude transient 
is dependent upon the closed loop system response. 

b. Another approach is to use a monitor and comparator 
or failure detection device to assess which channel 
of the system has failed and automatically dis- 
connect it. This approach may be used to maintain 
fail -operational capability with fewer channels 

if each channel is monitored for failures indepen- 
dently, Another method of reducing the number of 
working channels is to add a model of a working 
channel and use cross channel monitoring for failure 
detection. While this extends operational capability 
with one less active channel its effectiveness 
depends on how well the model matches the actual 
hardware. In certain applications, where actuators 
are large and where weight is critical, the model 
approach may provide a way to minimize the overall 
weight. 

c. When it is possible to use multiple aerodynamic 
segments, independently controlled, degraded but 
safe operation may be possible with one or more 
segment failed. This feature is used in current 
airplanes. However, as explained previously, 
advanced supersonic airplanes will probably be 
limited in use of control sxirface redundancy par- 
ticularly in the longitudinal axis because of the 
need to attain maximum aerodynamic efficiency. 



U, Failure Detection Capability 

Failure detection and indication of failures during 
operation must te provided so that the failed channel 
can be turned off to preserve the integrity of the 
system. The failure detection system must be designed 
to detect all types of failtires; active, passive, 
oscillatory, slow overs or ramps which could themselves 
or in combination with another failure produce an unsafe 
situation. 

In some mechanizations, immediate failure detection is 
required to keep the airplane safe. For instance in an 
active/ standby system rapid detection of the first fail- 
ure and automatic switching to the standby is mandatory 
to avoid large surface transients which could overstress 
the airplane. 

The ability of the failure detection system to sort out 
legitimate failures from apparent failures such as 
might occur due to adverse tolerances has an equivalence 
in reliability. If the failure detection system trips 
a channel off inadvertently due to an apparent failure, 
the equivalent mean-tlme-between-failure (MTBF) for the 
system may be significantly affected. 

5o Self Testing Capability 

Preflight self testing will be required to detect those 
failures that may not normally be detected by the in- 
flight failure detector. The test should be simple but 
yet complete enough to assure with confidence that the 
redundant system is in satisfactory condition. It is 
desirable that the self test be of the push-to-test for 
a "Go,” ”No-Go” indication. Quantitative measurements 
should be avoided, in favor of more simple continuity 
testing. Systems should be able to be tested by using 
the normal failure monitors to sense the presence of an 
inserted test signal. 

The quality of self test features also has an equivalence 
in reliability since testing reduces the exposure time 
to an undetected failure. 
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6. Reliability 


The reliability requirement for a particular system is 
based on the function it performs, the consequences of 
failure, and the duration of each mission* Primary 
assessment will assume the requirement for a system 
to remain operational after two failures, However, 
as a system becomes more complex, more failures will 
occur and reduce overall reliability even though the 
the requirement to remain operational after two 
failures has been met, 

7, Simplicity 

While redundancy increases in-flight reliability and 
provides various degrees of flight control operation 
dependent upon requirements, redundancy does increase 
the initial procurement cost as well as maintenance 
cost and is reflected in increased maintenance work 
load. 

If the function can be done with a less complex mechanism, 
usually it can be done more reliably, as there are fewer 
things to go wrong, Al.so, the cost will be less. As 
noted above, failure detection and checkout capability 
must be included in the system definition, and this can 
grow to be a very significant part of the total system 
complexity. 
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3.1. 3.1 Boeing SST Horizontal Stabilizer Actuation System 


The all^moving horizontal stabilizer of the Boeing SST 
vas powered by four surface power actuators arranged side 
by side, each supplied by a separate and independent hydrau- 
lic system. The actuator size was chosen to provide hinge 
moment capability for safe control and to meet flutter 
requirements with any two hydraulic systems failed. Though 
three surface actuators would have met redundancy require- 
ments, four actuators were used in order to reduce the 
amount of installed hinge moment capacity. If three actuators 
had been used, each would have been required to meet the min- 
imum hinge moment requirement and the total capacity would 
have been three times the minimum. When four actuators are 
used each can satisfy one half the minimum requirements. The 
total installation has only two times the minimum requirement. 
The stability augmentation system and secondary actuators 
were also four channel to provide operational capability after 
two failures. 

The overall SST pitch control system is shown in figure 2, 

The secondary actuators used for stability augmentation were 
termed EC servos on the SST because they also received 
^electrical command" (EC) signals from the pilot controls. 

The output of the secondary actuator was summed with the 
pilot’s mechanical input system on a differential link. The 
secondary actuators were integrated with (built as a part of) 
the surface power actuators as shown in figure 3. This 
mechanization has the advantage of having the summing linkage 
that receives the secondary actuator output protected inside 
an oil filled cavity. The outputs of the four secondary 
actuators were force voted on a torque tube (identified as 
the EC sync shaft and detent in figxire 3). Each actuator 
connection to the torque tube was through a detent mechanism 
that allowed motion of the torque tube with any secondary 
actuator jammed. If a secondary actuator was shut off or 
received an erroneous signal, those remaining could provide 
inputs to all four surface power actuators. If a secondary 
actuator jammed, the surface power actuator that it was a 
part of could not receive proper signals and had to be shut 
off. 

The secondary actuator piston was controlled by an 
electrohydraulic servovalve with the position loop closed 
electronically in a servo amplifier. Across each piston was 
connected a spring detented bypass vadve set to open when 
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the differential pressure reached 292 psi which equaled a 
reflected load on the piston of 150 pounds. The bypass 
valve motion versus differential pressure is shown in figure U. 
The valve motion was converted to an electrical signal by a 
linear differential transformer (LVDT). Pressure unbalances 
of either a steady state or dynamic nature that occurred 
between channels were corrected by feeding back to the servo 
amplifier two voltages; one proportional to the displacement 
of the bypass valve to equalize dynamic differences in com- 
mands, and One proportional to the integral of the bypass 
valve displacement to equalize any steady state differences 
in commands whenever the proportional equalization signal 
exceeded a chosen threshold for a set interval of time, the 
channel annunciated to the flight crew. The flight crew 
then manually shut down the secondary actuator portion of 
the failed control channel. 

If two channels had failed and had been shut off, the 
remaining two secondary actuators remained operational. 

Upon a third failure, the system force voted to null by 
the centering springs of the shutoff channels, rendering 
the system passive. This mechanization method minimized 
surface transients for any single failure and did not 
rely on failure detection for safety. 

3. 1.3. 2 Space Shuttle HRM-A Secondary Actuator 

The servo actuator is an electrohydraulic , three-channel , 
active /standby configuration developed by Hydraulic Research 
and Manufacturing Company (HRM) . The actuator description 
was obtained from reference 6, This actuator is an imple- 
mentation of redundant hydraulic control employing monitoring 
to attain the capability to sustain two failures and continue 
to operate. 

A modular design approach was used. The actuator (figure 5) 
consists of three independent systems or modules with complete 
hydraulic isolation that control a triple tandem piston. Only 
one system controls the actuator at any one time. If a mal- 
function occurs in the controlling system, a switch is made 
to a standby system, thus, there is neither a loss in output 
force nor a performance degradation after the failure, Each 
system has two electrohydraulic servovalves, one which controls 
flow to its piston and one monitor servovalve which monitors 
the second stage spool position of the active servovalve. 

These six servovalves are modified HRM model 25 two-stage 
nozzle flapper valves. The servovalve consists of an 



electrical torque motor and hydraulic output stage. The 
output stage of the active valve is a dosed center slide 
valve which means that the spool is designed to block fluid 
flow when at the null position. Current flowing in the 
torque motor coils induces a torque in the armature, which 
pivots the flapper slightly toward a nozzle. This motion 
unbalances the hydraulic amplifier circuit, causing a pressure 
difference to be generated between the two end chambers of 
the second stage spool. This pressure difference creates 
motion in the second stage spool. Spool position is reflected 
as feedback torque on the torque motor armature by means of 
the mechanical feedback spring. Thus by closing the servo 
mechanism loop, spool position is proportional to input 
current. Rectangular metering slots in the second stage 
spool cause flow proportional to input current. 

The HRM model 25 valve has been modified by adding a second 
monitor flapper and nozzle (figure 6). The only difference 
between the active servovalves and the monitor valves is that 
the monitor valves have a blank spool in place of the second 
stage spool and sleeve. Both of them have a monitor flapper 
and nozzle. The function of the monitor flapper and nozzle 
is to develop pressures proportional to the position of the 
second stage elements of the active and monitor valves. 

These two pressures are fed to opposite ends of a comparator 
spool. If no malfunction occurs these two pressures will 
vary but will remain equal in magnitude and the comparator 
spool will remain centered. 

The system operates in the following manner. Referring to 
figure 5« after hydraulic pressure is available, all three 
”on” solenoid valves are pulsed to engage the system. Once 
pulsed, each solenoid valve is held on its seat by its system 
hydraulic pressure. This pressure drives the three engage 
valves against the engage valve spring located at the left 
end of the system 3 engage valves. This activates system 1. 
The active servovalve in system 1 controls the actuator. 

The pistons of systems 2 and 3 are bypassed and the output 
ports of “active” valves 2 and 3 are blocked by their engage 
valves. 

If a malfunction occurs, the second stage positions of the 
active and monitor valves will differ. This will cause a 
pressure difference on the comparator spool creating motion 
of the spool. When the pressure difference exceeds a pre- 
determined threshold, motion of the comparator spool will 
dump the system 1 pressure that has been holding the engage 
valve against the spring to return. The engage valve moves 



to the right until it is stopped hy the system 2 position 
piston. System 1 engage valve is then in the bypass position. 
The bypass position connects the cylinder ends of system 1 
piston and blocks the output of the active servovalve of 
system 1, System 2 vill then become the active channel and 
will operate in exactly the same way as system 1. The failure 
threshold of the comparator can be easily varied. After the 
optimum threshold is determined by test, it will remain fixed 
in the design. 

If a malfunction occurs in system 2, a switchover to system 3 
will be accomplished in the same manner. If system 2 has 
previously failed, the switch will be from system 1 to 
system 3. In this design, only a channel that is operational 
is capable of gaining control of the actuator, 

A third failure will cause the actuator to fail in a bypass 
mode on all three systems. System failure is detected by 
a pressure switch on each comparator valve. 

Pressure loss in any system that exceeds a predetermined 
threshold will cause the ball in the solenoid valve to 
unseat, thus, switching to the next channel. 

After malfunction, any one system will not come back on line 
until the ”on” solenoid valve is pulsed. If the malfunction 
has been corrected, input to the comparator from the active 
and monitor channels will be identical, indicating the system 
is capable of normal operation. If the malfunction is still 
present, the system will immediately switch off line as 
before . 

Attached to the actuator output are four position feedback 
linear variable differential transducers (LVDTs). One LVDT 
is dedicated to each of the three channels for servo position 
feedback and all LVDT signals are used for LVDT failure 
detection logic. This logic uses a cross channel failure 
detection method. Each LVDT signal is compared with the 
signals from all other working LVDTs, A fail decision is 
made if the signal of that LVDT differs appreciably from that 
of the other LVDTs. The failure threshold is an error volt- 
age equal to that generated by displacing the actuator five 
percent of full travel. The detection of a failure energizes 
a latching relay which provides a positive d.c, bias voltage 
to the monitor servo amplifier. This causes the hydraulic 
logic to disengage the channel with the failed LVDT. 



3. 1.3- 3 Space Shuttle HRM-C Secondary Actuator 

This servoactuator is an electrohydraulic , 'three— channel , 
force-stumning configuration developed by Hydraulic Research 
and Manufacturing Company (HRM), The actuator description 
is based on information given in reference 7. This actuator 
is 8 J 1 implementation of redundant control employing indivi- 
dual channel monitoring using duplicated signal paths to 
provide failure monitoring for channel shutdown. 

A modular design approach is used to provide the required 
redundancy. This actuator (figure 7) consists of three ^ 
independent systems or modules with complete hydraulic isola- 
tion controlling triple tandem pistons. All systems that are 
operating control the actuator. When a malfunction occurs in 
any system, that system is blocked by a shutoff /bypass valve, 
and the force output capability of the actuator is decreased 
proportionally. The actuator piston for that system goes 
into a bypass mode. Each system has an active two stage 
electrohydraullc servovalve which controls flow to its piston 
and a second electrohydraullc servovalve which is used to 
monitor the second stage spool position of the active servo- 
valve. The active and monitor valves are identical to those 
described in section 3. 1.3. 2. The pressures induced by the 
monitor flapper and nozzle portions of the active and 
monitor valves are fed to opposite ends of a comparator spool. 
With normal operation, the pressures will vary but will 
remain equal. Motion of the comparator spool beyond a 
predetermined threshold due to unequal pressures is an 
indication of failure. 

The actuator operates in the follo'wing manner. Referring to 
figure 7, after hydraulic pressure is available, the three 
”on” solenoid valves are pulsed to engage the actuator. Once 
pulsed, the solenoid valves are held on their seats by system 
hydraulic pressure. This pressure drives the three shutoff 
valves against their springs and activates the three systems. 
The active servovalve in each system controls each section 
of the actuator. 

If a malfunction occurs the outputs of an active and monitor 
valve will differ. This will cause a pressure difference on 
a comparator spool causing motion of the spool. When the 
pressure difference exceeds a predetermined threshold, motion 
of the comparator spool will dump the supply pressure that 
had been holding the shutoff valve of that system to return. 
The shutoff valve of the failed system will be forced by 
the spring pressure into a bypass position. The bypass pos - 
tion blocks the output of the active servovalve of the failed 
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system and connects the cylinder ports to permit the 
actuator to operate with the remaining controlling systems. 
System failure is detected hy a pressure switch on the 
comparator valve. 

The failure threshold of the comparator can be easily varied 
by either changing the spring rate or overlap of the com- 
parator spool. Once the optimum threshold is determined by 
test on a particular system it will remain fixed. 

If a malfunction occurs in a second system it will be also 
placed into a bypass mode. The remaining system will con- 
tinue to control the actuator. The sequence of system 
failure is no problem. All systems are operational and 
only a failed system is switched out . A third failure will 
cause the actuator to go to a bypass mode on all three 
systems. 

After a malfunction a failed system will not come back on line 
until the "on” solenoid valve for that system is pulsed. If 
the malfunction has been corrected, pressure will hold the 
solenoid valve ball on its seat, the input to the comparator 
spool from the active and monitor valves will be identical, 
the shutoff valve will be pressurized, and the pressure switch 
will cycle, thus returning the system to normal operation. 

If the malfunction is still present, the system will 
immediately switch out as before. 

Differential pressure transducers are used to provide 
pressure feedback information for an electrical pressure 
gain reduction circuit, A pressure transducer sensing pres- 
sure across each piston generates zero voltage at zero 
differential pressure and 20 millivolts at 3000 psi differ- 
ential pressure. The differential pressure feedback reduces 
the pressure gain (per system) from 6000 to psi per 

milliampere to approximately 750 psi per milliampere. This 
gain reduction reduces the possibility of deadband resulting 
from actuator force fighting. 

Attached to the actuator output are four position feedback 
linear variable differential transducers (LVDTs). One LVDT 
is dedicated to each of the three systems for servo position 
feedback and all four LVDT signals are used for LVDT failure 
detection. A cross— channel failure detection method is used. 
Each LVDT signal is compared with the signals from all other 
working LVDTs. A fail decision is made if the signal of the 
LVDT differs appreciably from that of the other LVDTs. The 
failure threshold is an error voltage equal to that generated 



by displacing the actuator five percent of full travel. The 
detection of an LVDT failure energizes a latching relay vhich 
provides a positive d,c. bias voltage to the monitor servo~ 
amplifier. This causes the hydraulic logic to disengage the 
channel with the failed LVDT. By using this LVDT failure 
detection method the number of LVDTs required to make the 
actuation mechanization work is reduced from 6 to U, 


3.1«3.^ MSA F8~C Fly^By~Wlre Secondary Actuator 

The system consists of four electrohydraulic control channels 
and triple tandem pistons. One of the control channels has 
an active electrohydraulic servovalve plus a monitor servo- 
valve. Referring to figure 8, this is identified as servo 
system 1, The system is an active/ standby configuration which 
consists of the monitored primary channel (servo system l) 
with hydraulic logic failure detection and three force summed 
standby channels with electronic failure detection. The 
total package is supplied by two separate hydraulic supplies. 
The design provides complete hydraulic system isolation. 

Servo system 1 consists of two two-stage, flapper nozzle 
servovalves, one active and one a monitor. These valves are 
the same as those described in paragraph 3. 1.3. 2. The active 
valve controls the actuator output sind is monitored hydraul- 
ically by the monitor servovalve and hydraulic comparator. 

If a failure occurs, the outputs of the active and monitor 
valves will differ. This will cause a pressure difference 
on the comparator spool, causing spool displacement. When 
the pressure difference exceeds a predetermined threshold, 
displacement of the comparator spool will dump to return the 
supply pressure holding the engage valve. The engage valve 
of servo system 1 will be forced by spring force into a 
blocked position. The blocked position blocks the output of 
the active servovalve of system 1. The failure threshold 
of the comparator can be easily varied by spring rate 
adjustment or overlap of the comparator spool. 

After hydraulic pressure is applied and the No. 1 solenoid 
valve is energized to engage the system, the solenoid valve 
is held on the seat as long as electrical power is supplied. 
System 1 can be manually disengaged by de-energizing the 
solenoid. 

Upon a failure of the primary channel, the system 1 failure 
indicator will provide an electrical signal to automatically 
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energize the standby channel solenoid valves (servo systems 2 , 

3 and U) and thereby transfer control to the three channel, 
force-summed standby mode of operation. Differential pressure 
transducers are provided across each of the cylinder ports in 
order to provide signals which can be used to determine fail- 
ure status. Provisions are made for manual on-off control of 
each of the four (I4) channels. 

Second failures occurring in the standby system will result in 
control with some degree of degradation. When one of the 
three channels is deactivated, the total servoactuator force 
output is degraded by one third (l/ 3 ) while the system response 
remains unchanged. When a second channel is deactivated, the 
system response is unchanged while the force output is reduced 
by an additional third. Upon complete de-energization of all 
solenoid valves, the triplex actuator is bypassed. Piston 
and seal friction are the only constraints on the piston when 
totally de-energized. The standby system force-shares three 
three servovalves with no deadband in the position control 
loop and uses no force equalization network. Avoiding equal- 
ization is primarily a result of using single-stage Jet pipe 
servovalves which have a considerably lower pressure gain than 
two-stage valves. 


3 . 1 . 3. 5 General Electric 68O J Secondary Actuator 

The General Electric 68OJ Secondary Actuator system is an 
electrohydraulic four channel, force voting configuration. 

The secondary actuator is comprised of four individual modular 
elements, each of which is a small actuator, whose force out- 
puts are summed on a roteLry summing shaft as shown in figure 9. 
The small actuators are connected to the summing shaft by 
rocker arras* 

One version of the actuator assembly has a centering mechanism 
that returns the entire system to center if all channels are 
shut off or if all hydraulic pressure is lost. The centering 
mechanism is held disengaged by pistons in each actuator 
element. Any one piston is sufficient to keep the centering 
disengaged. Another version is identical except that in place 
of the centering mechanism, a braking mechanism is provided. 

In case of shutdown the summing shaft is held in its last 
position by the brake. The braking version was developed for 
longitudinal control systems where maintaining the pitch 
control surface in the last position held before failure was 
a requirement. 



Each individual small actuator element is dedicated to one 
control signal channel. Figure 10 shows a cross section of 
a typical single actuator element. Each element is driven 
by a single-stage Jet pipe electrohydraulic servovalve. Each 
element has a separate LVDT to provide position feedback. 

The normal mode of operation Is for all four elements to 
operate at the same time. The single-stage Jet pipe valves 
have low enough pressure gains that interchannel input com- 
mand differences can be held small enough to eliminate 
deadband in the output. The differential pressure across 
each channel’s piston head is monitored by a differential 
pressure sensor which provides electrical information which 
can be used for cross channel monitoring and/or comparison. 
When the command to one channel differs from the other it will 
force fight the other channel and develop a differential pres- 
sure relative to the others. When the differential pressure 
exceeds a predetermined level, electronic logic will indicate 
that the element has failed and initiate a shutdown by 
de-energizing the element’s solenoid-operated shutoff valve. 

The same shutdown sequence is repeated when the second channel 
fails. However, upon third channel failure the electronic 
logic will shut down both remaining elements since it is not 
possible to determine which of the remaining two elements is 
good, 

3.1.3.6 MRCA Secondary Actuator 

The four channel, force-voted, rotary output actuator, shown 
in figure 11, was developed by Elliott Flight Automation, Ltd 
of England, under a Ministry of Technology contract to develop 
a fail-operational stability augmentation system. It is 
presently in production by Fairy Hydraulic, Ltd for the NATO 
Multi-Role Combat Aircraft (MRCA), 

The actuator is normally utilized as a force summed position 
servo. Separate and isolated servoamplifiers are used for 
each of the four channels to sum the position command input 
and the position feedback and provide a drive for the 
electrohydraulic servovalve of each channel. 

The system is comprised of four separately controlled small 
electrohydraulic actuators which are individually coupled to 
a common output member by clutch plates rotating around the 
common output shaft. Each plate has six tapered lugs which 
engage in six tapered holes in the plate fixed to the common 
output shaft. The plates are held in engagement by applying 
hydraulic pressure to the outside of the clutch plates driven 
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by the actuators. Any difference in position between an 
individual actuator and the common output causes the tapered 
lugs to ride out along the leading edge of the tapered hole 
so that the clutch plate is at a larger distance from the driven 
conmon output plate. For differences less than ^ 0 % of the 
total stroke the actuator force is still transmitted, but for 
larger differences the clutch plate becomes disengaged. 

Positive disengagement is then assured by the action of the 
spring loaded member which automatically Inserts itself 
between the plate driven by the disengaged actuator and the 
common output m^iber. Sideways movement of the clutch plate 
end of the individual actuator output shafts is allowed by 
the knuckle joints at each end of the actuator connecting 
shaft. The sideways motion of the clutch plate is sensed 
by a switch which transmits a failure indication to the pilot. 

The +0.5 inch (12.7 mm) travel of the individual actuators 
is converted to ^20 degrees of output lever rotation so that 
the output stroke can be selected by the length of the output 
lever. 

To avoid disengagement of all four actuator channels due to an 
excessive transient load on the output or to a temporary loss 
of electrical supplies, a gate mechanism operates on the 
actuator output plates such that if any two actuators become 
disengaged, all the available travel in the mechanism is taken 
up and no further disengagement can take place. 

In addition to the electrical position feedback there is a 
low-gain mechanical feedback to center the actuator in the 
event of the loss of electrical power. In other words, the 
actuator will center automatically independent of electrical 
power when either hydraulic supply is on. This action is 
equivalent to mechanical spring centering which is the confen- 
tional but heavier method. The mechanical feedback applies a 
force of sufficient magnitude to the armature of the two-stage 
servovalve to cause the actuator to return to the mid-position. 
The gain of the mechanical feedback is so low that it does not 
affect the performance of the actuator which is dominated by 
the electrical feedback gain. 

3, 1,3.7 B oeing 7^7 Elevator Control (Autoland Option ) 

This system uses two dual primary surface actuators that are 
signalled by the force voted output of three secondary actua- 
tors. Two other surface power actuators are signalled by the 
outputs of the dual actuators. A simplified schematic of the 
basic system is shown in figure 12, and a basic system block 
diagram is shown in figure 13. The system consists of three 
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Breakout of one or two detents will te caused by lar^e 
differences between the secondary actuator control piston 
positions. This can either be caused by a failure in the 
autopilot^ servo amplifier, electrohydraulic valve, or can be 
caused by inherent manufacturing tolerances between channels. 

The simplest method to accomplish failure detection was found 
to be a comparison of each secondary actuator position to the 
summed output position. These same signals are used for 
equalization . 

Vhen the difference between the control piston and the sunmed 
output position exceeds a limit greater than what can be 
expected due to maximum manufacturing tolerances for a certain 
time, the systoK is considered to have a failure, (Presently 
this limit is set for T.5 degrees and 1 second for the TUT). 

In order to avoid nuisance warnings and/or disengagements, 
this detection level must be higher than differences generated 
between channels when maneuvering, 

3,1, 3,8 Lockheed L^lOll Longitudinal Control 

The L-1011 pitch control is provided by a hydraulically 
powered horizontal stabilizer with mechanically geared eleva- 
tors. Four independent hydraulic systems provide power to 
four surface power actuators, any one of which is capable of 
control of the airplane. 

Four autopilot channels are used to control the airplane in 
the fail operational autoland mode. The four autopilot chan- 
nels provide signals to two autopilot actuators ( secondary 
actuators) which command the four surface power actuators 
through the mechanical control system. The method of summing 
the two actuators is shown in figure lU, The two autopilot 
actuators work in a master-slave arrangement where the master 
actuator has a force advantage and overpowers the slave 
actuator in order to eliminate the deadband that would result 
from differences in output between the two channels. Each 
secondary actuator output is measured by dual LVDTs to provide 
a separate feedback signal to the two autopilot channels that 
control each actuator. 

The four autopilot channels are in a dual-dual arrangement as 
shown in figure 15 where a fault in one dual channel shuts 
down that channel and not the other . All four signals are 
voted just ahead of the servoamplifiers and all servoamplifiers 
receive identical input commands. The outputs of each pair 
of servoamplifiers are compared to detect amplifier failures. 
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separate autopilots, each driving a separate closed loop 
position servo (secondary actuator). Each secondary actuator 
displacement is proportional to its respective electrical com- 
mand signal. In the schematic, the three actuator control 
pistons operate into a common output through preloaded detents. 
A pilot feel system that provides centering is also connected 
to the output. This common output could he any type of linkage 
connecting the three pistons and the centering mechanism. To 
provide for triple channel, dual channel, or single 

channel operation, each detent can he disengaged such that no 
force is transmitted from the disengaged channel to the common 
output. The characteristic of the detents when engaged are 
such that only a small incremental force is transmitted to 
the common shaft after the preload is exceeded (i.e,, there is 
a low spring gradient after detent breakout ) , 

With all three detents engaged (triple channel configuration), 
the spring force and any friction and power actuator valve 
loads are reacted by three detent forces with the maximum 
force output triple that of a single channel. With no fail- 
ures, all three control pistons move in a synchronized fashion. 
With a single failure, the system continues to operate even 
if the failed channel is not disconnected. 

When the three autopilot commands are of different magnitude, 
due to tolerances, a disagreement will exist between the three 
actuator pistons. This disagreement must be taken up by the 
detents, forcing two of them to yield. If the centering spring 
is disregarded, the detents in the high and low channels will 
be out-of-detent in opposite directions. If the forces from 
these two detents balance each other, no force will be required 
from the detent with the midvalue position and the output will 
be that of the control piston with the midvalue. When the 
centering spring is considered, the force required to drive 
the centering spring must be obtained from the midvalue chan- 
nel’s detent. The system will select the midvalue of the 
three control piston positions as its output. 


In dufil and triple channel operation, manufacturing tolerances 
between the pitch integrators and null offsets in the glide 
slope beam receivers can cause a steady integration which would 
result in a handover elevator cozamand in the non midvalue 
autopilot channel(s). To avoid this, an equalizing signal 
must be fed to the pitch integrator. The difference between 
each secondary actuator control piston position and the summed 
output position is used for the equalization signal. This 
signal is a measure of each actuator's position difference 
from the controlling channel. 



Each of the two autopilot actuators receive two independent 
electrical position commands. The signals are summed hy the 
elect rohydraulic servovalve torque motor* Error level 
monitoring at the summing amplifiers is used to detect 
servovalve and LYDT failures. 


3 . 1 . 3*9 Concorde Eleven Control 


The Concorde pitch control utilizes aerodynamic sximming to 
increase flight control redundancy. There are three elevens 
at the trailing edge of each wing. Each eleven is operated 
hy its own dual tandem surface power control actuator with 
integrated dual secondary actuators (figure l6). There are 
three hydraulic supplies, two that are normally connected to 
each dual surface power actuator plus a standby system that 
is switched in automatically by a pressure operated transfer 
valve to replace a depicted or depressurized normal system. 
The surface power actuators are operated in a force summed 
arrangement with the main valves synchronized by close 
manufacturing tolerances to eliminate force fight. 


The actuators can be operated electrically by either of the 
two elect rohydraulic servovalves that drive the secondary 
actuators or by a mechanical input lever • When the power 
actuator is being controlled by a secondary actuator the 
mechanical input is disconnected. The secondary actuators 
are integrated with the surface power actuators. Each sec- 
ondary actuator consists of a small slide valve connected to 
a torque motor. The smatll slide valve acta as a pilot valve 
to one of the surface power actuator main control valves* 
When the samll slide valve is moved by the torque motor it 
ports fluid to the ends of one main valve which repositions 
both main valves. 


Damper and autopilot signals directly control the secondary 
actuator, hence the main valve spools and surface power actu- 
ators. The pilot's and copilot's controls have transducers 
that are connected directly into the autopilot electronics 
and provide a fly-by-vire capability through the secondary 
actuators. A parallel booster actuator is used to drive the 
mechanical control cables to keep the mechanical and elec- 
trical surface power actuator inputs in synchronization. 

The secondsui'y actuators eure controlled by two completely 
independent electrical signalling systems, one in operation 
8ind the other one in standby. In case of complete electrical 
control system failure, the airplane can be safely flown 
with mechanical control. 



A monitoring system detects failures that originate in the 
electronics, hydraulic systems or actuators. (Figure IT) 

If there is an electrical failure that causes a spurious 
deflection of the control surface the comparator circuits 
svitch the control to the standby electrical command path. 

The switching is done in two groups of surfaces comprising 
the inner elevons and the center and outboard elevens on each 
wing. For example, if an inner elevon disagreed with the 
other surfaces, both inner elevons would be switched to the 
standby command path. In case of a second failure in a 
group, the surfaces in that group revert to mechanical control. 
The other group of surfaces continues to provide autopilot 
control functions. There is a spring pot with a microswiteh 
on each main servovalve to detect stuck valves. The pilot 
depressurizes any actuator that signals a stuck valve. 



3.2 


TASK 2 ~ SELECTION OF RECOMMENDED ACTUATION SYSTEMS 


The work statement for this task required selecting tvo 
actuator configiirations which explore different methods 
of implementing redundant actuation with applicability 
to the lateral axis as well as the pitch axis for an 
AST application. 

The systems that were selected for examination and 
described in Task 1 are representative of secondary actu- 
ator redundancy concepts currently being used in aircraft 
as well as those that have been developed for specific 
research contracts such as the Survivable Flight Control 
System Development sponsored by the USAF and the NASA F-8c 
Fly-By-Wire Program. Actuator redundancy techniques under 
consideration by NASA for the Space Shuttle actuation 
subsystems were also included. 


All except one of these systems are categorized as either 
force-voted or active /standby systems. 


Force-Voted 


Active /Standby 


B2T0T 
HRM-C 
GE 680J 
MRCA 


HRM-A 

F-8C ( pr imary mode ) 
Concorde 


The one exception is the LTV electromechanical rate— summed 
system. It was not considered a candidate for critical 
flight control systems because: 

a. The complex gearing would make it difficult to 
prove that Jam— type failures would be extremely 
remote 

b. For the same output force the electromechanical 
actuator is larger and heavier than an equivalent 
electrohydraulic actuator. 

c. The electronics to drive a rate-summed actuator 
would require a significant increase in packaging 
size, weight and cost. In addition the system 
dissipates much more power than required for an 
electrohydraulic force-voted actuator, 

(Reference h). 
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It had been noted earlier in the Task 1 discussion that 
although position summing is a method of achieving a single 
valued output of a redundant actuator arrangement , none of 
the systems investigated employ this method either on sur- 
face actuators or secondary actuators. This type of 
configuration is difficult to mechanize practically for more 
than tvD channels because of the complex linkage req^uired. 


3,2*1 System Comparison 

Each of the systems suitable for AST application was 
examined qualitatively with respect to the comparison 
factors discussed in Task 1. 

Load Sharing 

Only actuators in the force-voted category are concerned 
with load sharing. The secondary actuators of the force 
summed systems all use electronic loop closure. Since 
the components that mak:e up feedback loops are essentially 
the same, all the systems should have the same load 
sharing performance. 

Input Mismatch 

Here again only force summed arrangements are concerned 
with mismatched inputs. The B2T0T secondary actuators 
system and the HRM-C sensed the mismatch as reflected 
on the output in terms of differential pressure at each 
individual piston. An electronic signal proportional to 
this differential pressure is fed back as an equalization 
signal in each control channel, to minimize the mismatch. 

The 680J and F8-C systems use no electronic feedback for 
equalization but depend on the low pressure gain of the 
single stage electrohydraulic servo valve to give the 
actuator a low effective spring rate. The lover the actu- 
ator spring rate, the more input mismatch can be tolerated 
for the same design level of load sharing. The 680J and 
f 8-C systems are limited to the degree of input mismatch 
that they can accommodate because of physical pressure gain 
constraint. To operate within these limits, signal condi- 
tioning of input commands by means such as electronic 
voting is required. 

The MRCA system utilized neither feedback equalization nor 
reduced actuator stiffness to accommodate input mismatch, 
Channel mismatches of up to 10 percent of full command are 
absorbed in force detents between each actuator and the 



common output. The detent is constructed to have little 
effect on total system stiffness. The system does require 
upstream voting or some method to assure that inputs have 
differences of less than 10 percent. 

Utilization of equalization feedback gives a great amount of 
flexibility to acconjinodate input mismatch and is probably 
more desirable than requiring electronic complexity upstream 
such as voting to insure closely matched inputs. 

Failure Insensitivity 

The systems applicable to an advanced SST all meet the 
requirements to be operational after two failures. For 
clarification, although the MRCA system is presently a 
l*-actuator configuration powered by two hydraulic supplies, 
additional hydratilic systems could be added to meet the 
fail-operational requirement. 

With respect to surface transients, the force-voted systems 
do not rely upon the failure detection and switching to 
prevent transients. The magnitude of transients is gov- 
erned by the structural stiffness of the mechanical linkage 
connecting the individual actuators. As an example, the 
individual actuators in the 680J system are close together 
and coupled by a very stiff output member. This system has 
almost negligible output transient. 

In the active/standby systems, output transients are 
dependent on the failure detection threshold, switching 
time and the position synchronization of the standby system. 

Active/ standby systems such as the HRM-A type do not suffer 
a performance degradation after the first and second fail- 
ures. Force-voted systems, however, may suffer a performanc 
degradation after successive failures. This degradation is 
caused by residual force fight between channels and reduced 
system force capability. 

Failure Detection Capability 

By design, none of the force-voted systems requires a 
failxire detection capability to keep the system safe for 
the first failure. As long as there is a majority of 
healthy channels the voting system disregards a failed 
channel. The failure detection system must, however, 
isolate the failed channel within a time consistent with 
the probabilities of a second failure. 



All of the force voted systems except the MRCA use the 
differential pressure generated across each individual 
actuator as the source of failed channel logic. The MRCA 
senses motion of the mechanical detent associated vith each 
actuator. Since immediate detection of a failure is not 
critical for safety, the failure detection logic can employ 
a reasonable threshold and time delay. 

In systems such as the B2707 the equalization feedback, which 
is used to minimize effects of input mismatch, degrades the 
failure detection capability. Some failures such as ramps 
can be equalized and therefore masked from detection. 

Failure detection capability in an active/stsuidby system is 
critical to the success of the system concept since the 
detection of failures and switching to standby is necessary 
to be safe. The threshold of detection and the associated 
switching time are set by the allowable surface transients 
for a given application and must be significantly smaller 
than those that can he allowed in a force-voted system. 

These small thresholds make the active/standby system 
vulnerable to inadvertent disconnects. 

Reliability 

Reliability is related to the nxmber of components. Those 
systems that utilize separate electromechanical monitors 
for each of the three working channels such as the HRM-A 
and HRM-C use fewer working channels. Trading the complex- 
ity of three monitors for one additional working channel 
impacts the overall system reliability. If each control 
channel is duplicated with a monitor, the probability of 
that channel or its monitor failing is doubled, A three 
channel monitored system would fail down to a monitored 
single channel operation twice as often as a four channel 
system would fail down to two channels. 

Self Test Capability 

None of the systems examined had specific ability to perform 
a self test within the actuator loop, however, each pos- 
sessed the necessary sensors to provide logic for self test 
mechanization. 

Simplicity 

In general, the four channel force-voted actuation systems 
appear simpler than the three channel systems with monitors. 
However, the upstream signal voting and/or channel equaliza- 
tion electronics increase the complexity of the force-voted 
systems to narrow the difference and make relative simplicity 
difficult to Judge ifithout further study. 
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3,2»2 System Selection 

Examination of the force-voted systems shows little 
difference in fundamental mechanization. The most signi- 
ficant difference is the use of equalization to minimize 
the effects of input mismatch as in the B270T system and 
the operation without equalization as in the 680 J system. 
This difference is a function of the electronics driving 
the systems. The B2T07 used an unvoted analog system which 
had a susceptibility to accumulation of tolerances result- 
ing in significant command mismatch. The 660J also is 
driven by an analog electronic system but one which has a 
monitored voting stage just prior to the actuator, thereby 
guarantying a single valued input to the actuators. The 
requirement for equalization in the actuator is therefore 
eliminated and the failure detection covers only failure 
within the actuator loop. 

There is little difference in the active/ standby systems 
examined. The HRM-A remains an active /standby as the sys- 
tem fails down to single channel. The F8-C system is a 
hybrid system since it fails down to a three channel 
force-voted system after the first failure. The Concorde 
system is a two channel system but achieves overall fail 
operational capability for many dual failures by use of 
multiple aerodynamic surfaces (6 elevens) and voting 
between pairs of surfaces. 

While there is little difference in the variations of either 
force-voted or active/ standby systems there are significant 
philosophical differences between the two categories. 

Failure Detection 

The active /standby concept requires failure detection 
to be safe following failures. The force-voted concept 
does not require immediate detection of a failure to 
be safe. Failure detection is only required to enable 
a failed channel to be shut down before another failure 
occurs. 

Switching 

The standby system must be continually monitored to 
assure that it is capable of control if the active 
channel fails. Further, somewhere in the system a 
device like a switch or blocking vsilve is required to 
operate without prior knowledge of its health to pro- 
vide a successful switch to standby. The force-voted 
system is comprised of only active channels continually 
monitoring each other requiring no switching. 
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Performance After Failure 


The active/standhy concept preserves normal performance 
as it fails dovn from active to standby to second 
standby. The force-voted syst«n may suffer a perform- 
ance degradation as it falls down. This degradation 
can be exhibited in poorer resolution and limited force 
output « 

Either of these two concepts can be mechanized to meet the 
redundancy requiraaents for an advanced supersonic trans- 
port but the philosophical differences in the approach to 
redundancy warrant further study, 

A force-voted configuration should be mechanized in a manner 
similar to the schematic shown in figure l8. The actuator 
is a four channel, force-voted electrohydraulic position 
servo. The four independently controlled actuator channels 
are coupled to a ccanmon output. Each actuator has a LVDT 
to provide position feedback to its flight control channel. 
The differential pressure sensor and bypass valve limit 
the maximum differential pressure and provide an electrical 
signal proportional to the differential pressure which can 
be used for cross channel monitoring and equalization. The 
actuator differential pressure sensor co\ild be a pressure 
transducer that signals a solenoid operated bypass valve. 

The modular nature of the side-by-side design is such that 
studies could be performed with fever or a greater number • 
of actuator elements. 

A schematic of a proposed active /standby study configuration 
is shown in figure 19 . The actuator Is a three channel 
active/ standby position servo employing monitor channels. 

One channel (number l) is engaged for normal operation. 

With a malfunction in the controlling system, a switch is 
made to a standby system and there is no loss in output 
force or performance. If a raalfxmction occurs in system 2 
a switchover to system 3 will be accomplished in a simil6ir 
manner. If system 2 has failed before system 1, failure 
of system 1 will cause a switchover to system 3* In this 
configuration, only a channel that is operational is 
capable of gaining control of the actuator output. 

The failure sensing and switching are electronic rather 
than hydraulic to allow a greater latitude for experimen- 
tation with failure detection levels and switching times. 
The actuator can also be arranged with identical modules 
side-by-side to allow flexibility in the number of actuator 
elements under test. 
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TASK 3, FORMULATION OF MATH MODELS OF Tlffi RECQMMEIJDED SYSTEMS 


Math models of the recoiimiended systems have been formulated. 
These models are in such a form that they may be adapted for 
piloted simulator evaluations using analog and/or digital 
simulation techniques. The math models include all the func- 
tions required so that the following items may be studied: 

o Normal performance 
o Performance after failure 
o Channel equalization 
o Failure and switching transients 
o Failure detection logic 

o Critical overload due to aerodynamic hinge moments 
o Static stiffness as a function of the number of 
hydraulic systems operating 
o Feedback malfunctions 

The math model of the force voted system is shown in 
figures 20 and 21, Table 1 gives nominal parametric data 
which will give an actuator representation with adequate 
output force and performance for use in either pitch or roll 
control. The details of the failure detection and equaliza- 
tion box are shown in figure 21. The parametric values for 
the failure detection and equalization network must be 
developed to be compatible with the airplane and airplane 
control axis that the system is used on. Therefore no values 
have been given. 

The math model of the active /standby system is shown in 
figure 22. The parametric data, except the failure detection 
level, to construct a nominal actuator representation is given 
in table 1, The failure detection level must be set after 
the model is matched to an airplane system. The math models 
were checked by using the models to write the differential 
equations of the system. The equations were solved for 
performance characteristics. Application of stability crite- 
ria showed that the actuators would be stable. All solutions 
provided answers that correlated well with previous analyses 
and data obtained by testing actual hardware. These equa- 
tions were then checked by dimensional analysis in both 
US units and SI units. 

Because of the similarity of the systems and the math models 
to others previously simulated without difficulty, computer 
simulation would not add to the confidence in the models 
gained by paper analysis. Therefore computer simulation that 
had been previously planned was not used for verification. 
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In order to utilize the math models of the secondary actuators 
in a piloted simulation, the actuators must be included in 
a simulation that represents the surface power actuators and 
an airplane, A math model of a surface power actuator that 
would be compatible with the secondary actuator models that 
have been presented is shown in figure 23. The surface power 
actuator model is sensitive to aerodynamic hinge moments and 
changes in hydraulic pressure. For maximum realism the air- 
plane model used in conjunction with the actuator model should 
he one that contains surface hinge moment data. 



TASK h, LONG RANGE PLMNING FO R REDUH DAK T ACTUATION 
' DEVELOP^^¥ 


The draft for the Statement of Work for Phase II is presented 
belov, 

A. SUMMARY 

Large gains in supersonic airplane performance and 
economy are achievable through the use of advanced flight 
control systems. As the advanced large supersonic cruise 
transport must take advantage of these gains, it is essen- 
tial to fully understand and appreciate the implementation 
of these advanced control systems. The use of active 
controls makes this technology transf erratic to other 
classes of aircraft. 

This program, to develop multiple redundant actuation 
concepts and associated hardware required for the advanced 
SST flight control system, has accomplished under Phase I, 
(l) a review of recent developments in redundant control 
systems, (2) the selection of the two most probable can- 
didate redundant actuator concepts, and (3) the 
constniction of math models of the two selected 
configurations , 

The two actuator configurations selected are a four 
channel force-voted system and a three channel active/ 
standby system. 

The force voted configuration is similar to both the 
Boeing SST Horizontal Stabilizer Electric Command Actuator 
and the Secondary Actuator developed by General Electric 
for the Air Force Flight Dynamics Laboratory’s F-r 
Suryivable Plight Control System, 

The active /standby configuration is similar to the 
secondary actuator developed by Hydraulic Research and 
Manufacturing Company for the NASA Manned Spacecraft 
Center’s Project Space Shuttle. 

Under Phase II of this same program, these candidate 
systems are to be further investigated and evaluated to 
(l) formulate the basic knowledge and experience needed 
of the operational and performance characteristics of 
these concepts to establish a technology base for mech- 
anizing advanced flight control systems, and (2) to 
define a research tool to be used in conjunction with an 
ARC simulator to allow a genuine determination of system 



performance, handling qualities effects, and various 
failure modes with flight crew interaction and simulated 
airplane response. 

B. WORK STATEMENT 

The proposed Phase II study of redundant actuation will 
he divided into five tasks. The statement of work for 
each task is as follows. 

1, Task 1 ~ Configuration Definition of Redundant 

Actuator Concepts 

The Phase 1 study that determined the system concepts 
to he further studied in this phase emphasized the 
basic requirements for redundant control systems. 

The two concepts are to he implemented in such a 
manner that they will: 

o Meet normal performance requirements 
o Have limited interchannel force fight 
o Be tolerant of input mismatch 
o Operate after first and second failures 
o Operate at reduced redundancy levels 
o Allow failure monitoring 
o Have self test capability 

The analysis in this task will produce a detail design 
definition of the two actuator system concepts and 
will provide quantitative assessment of their practi- 
cality for the AST airplane design with consideration 
given to scaling of important parameters to other 
aircraft. The factors to be considered are all of 
those stated above, plus failure induced transients, 
load sharing after failure, stability of the basic 
system before and after failure, filtering require- 
ments, the need for mechanical backup to the electric 
command mode of operation, and delay time to regain 
control after failure. 

2 . Task 2 - AST Actuatio n System Requirements 

The B27 07-300 pitch axis configuration as currently 
mechanized in the ARC simulation will be used to 
establish parametric data needed for actuation system 
development. The configuration sensitive parameters 
such as rate of signal input, dynamic response, reso- 
lution, and airplane tolerance to failure transients 
will be determined to formulate the actuation system 
design requirements. 



3. Task 3 - Computer Simulation of Redundancy Concepts 

The purpose of this simulation is to define the nominal 
design parameters to he used in the design of the 
single axis mini-rig. This requires a motion simula- 
tion with a pilot. To fulfill this requirement the 
contractor will furnish a detailed math model of 
the two actuation systems, 

ARC will then implement the math models on the 
simulator. The contractor will submit a test plan 
for simulator checkout procedure and to gather mini« 
rig design parameters. The test plane will include 
a time schedule and pilot requir«nents. The con- 
tractor will perform the test at ARC with appropriate 
ARC support, 

4. Task 4 - Mini-Rig Definition 

The extent of the flight control system required to 
he represented hy the mini-rig will he determined. 
Based in part on the successful operation of the com- 
puter simulation of the AST and control systems 
implemented in Task 3« the advisability of providing 
a mini-rig for both actuation system concepts will he 
determined , The mini— rig will he limited to the 
representation of the secondary actuator system and 
associated electronics with the surface actuators 
remaining part of the computer simulation. The sec- 
ondary actuators will he manufactured to full scale 
reflecting airplane actuator quality and performance 
hut retaining the flexibility required for the planned 
test program. 

The feasibility of using one universal rig or a 
separate rig for each redundancy concept will be 
considered. If two dedicated mini-rigs are used^ 
consideration will he given to assure the ability to 
directly compare results from both rigs. Data 
requirements such as PSAA and computer interface, 
scaling, instrumentation requirements, hydraulic and 
electrical system power requirements, and other rele- 
vant constraints will he specified hy the contractor. 

A mini-rig design specification for each concept will 
he prepared to allow completion of a, mini— rig design 
and fabrication and will contain at least the 
following: 

a. Appropriate construction and material 
specifications 
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Id. System functional description 

c. Detail performance requirements including 
range of adjustments on critical parameters 

d. Safety requirements 

e. Appropriate quality assurance provisions 

f. General acceptance test procedures 

5, Task 3 - Planning for Mini-Rig Design Fabrication 
and Usage 

a. A plan will be formxilated, in conjunction with 
ARC, for mini-rig design and fabrication. 

b. The contractor will provide a descriptive 
document of the mini-rig *s operational capabilities. 

c. The contractor will provide a recommended test 
plan to investigate design problems relating to 
AST flight control actuation. 


C. PROGRAM SCHEDULE 

The recommended schedule for accomplishing the Phase II 
work statement is shown in figure 2h, 
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CONCLUSIONS 


Advanced airplanes will need to use redundant flight control 
actuators to achieve reliahility approaching that of the 
basic airplane because operational flight controls will be 
essential for safe flight and acceptable airplane handling 
qualities* 

Surface restraint to meet the fail safe requirements for 
flutter prevention will dictate the minimum redundancy 
levels allowable for control surface power actuators. 

Airplanes with redundant flight control surfaces may have 
dual surface power actuators if a third hydraulic system 
is provided* Control surfaces that are critical for con- 
trol functions will require at least three actuators per 
starface in order to meet FAA requirements and provide an 
adequate level of safety* 

Reliability requirements for actuators that amplify 
autopilot, stability augmentation and pilot commands to 
provide inputs to the control surfaces are determined 
by the need to operate in spite of control signal mal- 
functions. Actuation systeirs with fault corrective 
capability that will meet the system reliability require- 
ments and satisfy FAA regulations require at least four 
active channels or three monitored channels* Surface power 
actuators could be mechanized with this level of redundancy 
but it has been found to be more efficient to utilize small 
secondary actuators to provide a reliable single input to 
the surface power actuators. 

Based on a review and examination of current redundant 
actuation systems, two concepts were found to be represen- 
tative of secondary actuator mechanization which would meet 
advanced airplane flight control system requirements* Both 
of these systems should be studied by NASA since they reflect 
different design philosophies. The two actuator configura- 
tions are a four-channel force-voted system and a three- 
channel active/ standby system. 

Redundant control systems have operating and failure 
characteristics that are affected by system design and that 
interact with the pilot and the airplane in which they are 
installed. Redundant actuators should be studied in con-^ 
junction with a pilot and an AST airplane to understand pilot 
reaction and airplane response to variations in control sys- 
tem characteristics and failures, NASA Ames has a facility 
that is well suited to pilot-control system-airplane studies 
in the FSAA. Use of the FSAA to study redundant actuator 
mechanization will gain technical knowledge that will benefit 
future advanced airplane designs. 
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FIGURE 5. -HRM-A SECONDARY ACTUA TOR HYDRAULIC SCHEMA TIC 
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FIGURE 7 . -HRM‘C SECONDARY ACTUA TOR HYDRAULIC SCHEMA TIC 
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FIGURE 9.-MECHANICAL SCHEMATIC, SECONDARY ACTUATOR SUMMING 
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FIGURE 12.-747 TRIPLE-PITCH CHANNEL CONFIGURATION 
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FIGURE 14.~L1011 DUAL SECONDARY ACTUATOR 
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FIGURE W.-ACTiVE STANDBY ACTUATOR, SINGLE ACTUATOR ELEMENT 
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TABLE 1 

ACTUATOR PARAMETERS 


Value 


Symbol 



SI Units 

US Units 

A 


Piston area 

1.9 X 10“ V 

0,294 in^ 

®1 


Linkage freeplay 

5.08 X 10”5jn 

0.002 in 

B2 


Hysteresis due to friction 

, o 4T ma 

o 13 m^/sec 

n/m'i 

. o 47 ma 

^ , ..-4 in^/ sec 

3.69x10 

Cp 


Flow gain/pressure gain 



Damping/ channel 


8 

D 


m/sec . 

in/sec 

Ff 


Coulomb friction/channel 

17.8 N 

4 Ibf 

Fi,F2 

etc 

Actuator force output 

N 

Ibf 

Hi 


Feedback gain (K^^K^Kf) 

204.33 V/jn 

5.19 v/in 

Ka 


Servo amp gain 

57.6 ma/V 

57.6 ma/V 

Kc 


Centering spring 

variable N/j^ 

variable Ib/^jj 

Kdm 


Demodulator gain 

1.25 vdc/vac 

1.25 vdc/vac 

• Kf 


feedback amp gain 

0.296 V/V 

0.296 V/V 



Open loop gain 

122 sec“^ 

122 sec“^ 

Kp 


Pressure gain 

2. 24x1 0^ — 

ma 

325 

wSl 

Hsi 


Actuator structural spring 

1.98 X 10 ^ N/m 

1.13 X 10^ Ibf /in 

Ks2 


Actuator rod spring 

3.5 X 10^ N/m 

2 X 10 ^ Ibf/in 

K 


Actuator 

2.55 X 10*^ H/m 

1.46 X 105 Ibf /in 

Ky 


dynamic spring K 3 ^^L+ 4 j^ 
Valve flow gain 

1.97 X 10-6 

ma 

12 

* ma 

Kx 


LVDT output 

550 v/^ 

14 v/in 

L 


Actuator stroke (2 

+ 0,0127 m 

1 0.5 in 

M 


Load mass /channel 

20 kgTO 

llU 

in 

Hm 


Maximum actuator AP 

6.9 »/m2 

1000 psi 

P.J. 


Bypass pressure 

6 .U N/m 2 

930 psi 

Xo.Xi 

etc 

Output displacements 

m 

in 



Oil bulk modulus 

1.03 H/m^ 

150,000 Ib/ijj^ 

V 1 .V 2 

etc 

Input signal voltage 

V 

V 
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